On Sat, 5 Oct 2002 14:48:22 +0200, Paul Boehm <typo@soniq.net> wrote:
As uid/gid are part of the Application, a compromised application can write a shutdown.tap with different uid/gids.
Why, in a security-conscious environment, are you allowing the uid/gid that the server is running as to even _read_ the .tap? In any event, the .tap is effectively an SUID binary, and should be writable only by root. The whole notion of this automatic persistence is somewhat at odds with that of security - .tap persistence is very explicitly designed to have no security constraints whatsoever, but to be very convenient. If you need both persistence and security, then you have to design your persistence mechanism to constrain what can be persisted. Pickle effectively allows literal code to be stored and executed. -- | <`'> | Glyph Lefkowitz: Traveling Sorcerer | | < _/ > | Lead Developer, the Twisted project | | < ___/ > | http://www.twistedmatrix.com |